freeradius <=> MS IAS passthrough

Alan DeKok aland at deployingradius.com
Thu May 17 17:54:28 CEST 2007


Ian Savoy wrote:
> What's happening, is when i use the radclient to auth DIRECTLY to the 
> IAS server, i get an Access-Accept response.  However, when i use the 
> proxy, they are receiving an encrypted password...either that or an 
> incorrectly encrypted password that cannot be decrypted by their IAS.

  Then the shared secret is wrong.

>  I 
> am using the Password attribute with radclient rather than 
> User-Password,

  They are the same attribute.

> so i believe when i was using radclient it was sending an
> unencrypted password.  When i run radiusd -X, I am able to see his 
> password, so I'm assuming it's being relayed in plain-text is this 
> correct?  or does debug mode decrypt the password for my viewing pleasure?

  It decrypts the password so you can see it.

> I guess the root of my question is, Does IAS send plain-text passwords?  

  I'm not sure what you mean by that.  The RADIUS protocol specifies
that passwords are encrypted when sent over the wire, but the shared
secret allows each RADIUS server to turn that encrypted password into a
plain-text one.

  So if IAS is sending something to FreeRADIUS, IAS has the password in
clear text.  It's encrypted on the Ethernet.  FreeRADIUS decrypts it to
clear text.

> Also is there a way i can send the password to IAS via an encryption 
> method that it can understand without making a global change?  this 
> can't be done in proxy.conf, so would the answer than be user specific?  

  The question makes no sense.  There is one way for clear text
passwords to be sent over the wire.  If it's not working, the shared
secret is wrong.

> On the IAS end the reason why they can't auth is their problem - their 
> proxy is stripping the realm info from teh username and just sending us 
> user@, i.e. no realm info, but how do i set the FR proxy to relay the 
> login info via an encryption method that can be understood by IAS?

  Huh?  Who's sending what to who?  You've just said multiple servers
are proxying to each other.

>  they
> accept the following auth methods - MS-CHAP, MS-CHAP V2, CHAP, and PAP.

  RADIUS servers don't change authentication protocols.  If the client
sends X, a proxy will forward X to the home server.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list